1. Field of the Invention
This invention relates to the field of data processing systems. More particularly, this invention relates to the field of malware scanners and the validating of components forming a malware scanner.
2. Description of the Prior Art
It is known to provide malware scanners that comprise multiple components. As an example, a malware scanner resident on a client computer may include an updating component responsible for checking for updates of the other components of the malware scanner and installing those updated components when they become available having first downloaded them from a remote source. Further components will typically provide a malware scanner engine responsible for controlling and directing the malware scanning operation and malware definition data used to identify the different types of malware for which a scan is being made.
As illustrated in FIG. 1 of the accompanying drawings, a malware scanner provider may have a server 2 connected to the internet 4 and upon which server 2 they make available regularly updated malware scanner components, such as malware scanner engines and malware definition data sets, for download. Typically the malware definition data (DAT) will be updated most frequently as new viruses and variants of viruses are encountered. The malware scanner engine will also be updated from time to time, although generally less frequently than the malware definition data. The malware scanning engine may be updated for reasons such as a requirement to support new types of algorithm for scanning for malware.
As illustrated in FIG. 1, individual computers 6 and networks 8 will be connected to the internet 4 and under control of their update programs will periodically check the server 2 to determine whether more up-to-date versions of the malware scanner engine and the malware definition data are available compared to the versions of these components that are currently present. As illustrated, the computer 6 is fully up-to-date and has the latest versions (Vn) of both the malware scanner engine and the malware definition data. Conversely, two of the client computers 10, 12 on the network 8 have out of date versions of at least one of the malware scanner components and accordingly are in need of updating by downloading the latest versions of those components from the server 2 or from a locally held copy.
It will be appreciated that malware can include a wide variety of different forms of unwanted material that may be present upon a computer, such as computer viruses, worms, Trojans, banned computer files, documents containing banned words, banned images and the like. It will be understood that in order to provide a high degree of protection against such threats it is important that the components of the malware scanner be regularly and promptly updated as new versions become available. However, this regular and routine updating of malware scanner components introduces a vulnerability into the protection being provided in that these components may be targets for spoofing and tampering by virus writers and viruses. There have been known cases in which false malware definition data updates have been distributed with malicious intent.
In order to provide a defence against tampering and spoofing of malware scanner components it is known to digitally sign and/or encrypt the components. As is illustrated in FIG. 2 of the accompanying drawings, the malware definition data 14 and the malware scanner engine 16 are both signed with a digital signature which has been calculated using a private key of an asymmetric private key/public key encryption mechanism, such as a PGP or the like. The private keys for generating the signature on the malware definition data 14 and the malware scanner engine 16 are secret and known only to the provider of these malware scanner components. The public key necessary for validating the signature on the malware definition data 14 is carried by the malware scanner engine 16. Accordingly, when a new set of malware definition data 14 is loaded, the malware scanner engine 16 may read its signature and validate this using the public key carried by the malware scanner engine 16. In a similar way, the malware scanner engine 16 is digitally signed with a signature derived from a private key known only to the engine provider and the corresponding public key is held within the update software of the client computer and is used to check the signature on the malware scanner engine 16 when a new malware scanner engine 16 is loaded.
It is an object of the present invention to improve the security and ease of maintenance and update of malware scanner systems.
Viewed from one aspect the present invention provides a computer program product for controlling a computer to validate a plurality of components of a malware scanner, said computer program product comprising:
validating code operable to validate each component of said plurality of components using signature data associated with said component and validating data associated with another of said components such that said plurality of components validate each other.
The invention both recognises and addresses problems associated with the above described prior art techniques. More particularly, the invention recognises that it is difficult and slow to update the updating component of a malware scanner system. Also, the updating component may not be present in some configurations. Accordingly, should it be necessary or desirable to change the public key information held within the update software, then considerable difficulty is encountered in making this change across the user base of the malware scanner. Furthermore, the invention recognises that the protection of the malware scanner engine from tampering or spoofing is in some ways more important than protecting the malware definition data since the malware scanner engine will typically be one or more DLLs with a documented format that may be relatively easily understood, modified and/or patched for malicious purposes. Any modification to the engine (malicious or not) can cause malfunction, false alarms and even a data loss.
In contrast, the malware definition data is much less likely to be spoofed or tampered with since its format is generally undocumented and it may be encrypted or otherwise protected in ways which make it difficult to understand. Having recognised the problem of the difficulty in updating the updating software itself and the relative vulnerability of the malware scanner engine, the present invention addresses these problems by providing a plurality of malware scanner components that cross-check each other without any dependence outside of the group for validation. Thus, for example, the malware scanner engine and the malware definition data may be made to validate each other respectively so that the updating software need carry no public key data and accordingly should a change need to be made in the keys being employed, then no changes are needed in the updating software. This also gives an advantage in a configuration where the scanner software resides on a computer that is not networked and so the updating component may not be installed. Furthermore, placing the public key used to validate the malware scanner engine within the malware definition data makes this more difficult to identify and accordingly generally improves the level of security.
For additional security it may be desirable to store the private key in another component rather then in the one that performs the validation.
Whilst it will be appreciated that the above has discussed malware scanner engine and malware definition data components as particularly suitable for use with the current technique, it will be appreciated that other components within a malware scanner system may be dealt with in the same way and included within a closed group which self-checks one another.
Whilst it will be appreciated that the signature data and the validating data could be associated with the malware scanning components in a variety of different ways, such as within an associated separate file, in preferred embodiments the signature data and the validating data is embedded within the respective component in order to improve security.
The computer program code (validating code) which reads the signatures and validating data and makes the necessary checks could be provided outside of the components themselves, but in preferred embodiments is provided within at least one of the components. Embedding the validating code within the components themselves improves the security of this code and enhances the ability to adapt or update this validating code as may be necessary. As an example, the malware definition data may contain a program in the form of native processor code or in the form of interpretable p-code executed by the malware scanner engine.
Whilst it will be appreciated that a wide variety of different types of signature data and validating data may be used, such as checksum type data, preferred embodiments of the invention utilise private/public encryption key pairs.
Whilst the invention provides improvements in a variety of situations, it is particularly well suited to systems in which the malware scanner components are updateable from a remote source using an updating program. The present technique enables the validation of the components that are updated to be made without dependence upon the updating program. The present technique is equally suitable for systems with or without an updating component.
Other aspects of the present invention provide a method of validating a plurality of components of a malware scanner and an apparatus for validating a plurality of components of a malware scanner.
A further aspect of the invention provides a malware definition data component of a malware scanner, said malware definition data component comprising signature data usable to validate said malware definition data component and validating data usable to validate one or more further components of said malware scanner.
Malware definition data including both its own signature and validation data used to validate one or more further components of a malware scanner provides significant advantages since it gives a degree of security to the validation data, allows the validation data and its associated validating code (algorithm) to be relatively easily modified and utilises known distribution mechanisms for malware definition data.